Hacking Coin Collection

Coin Acceptor

Devices that collect coins for payment typically use standardized coin acceptors like the one shown here. These devices use a protocol called ccTalk to let the system know what coins were inserted. [Balda] has built tools for implementing the ccTalk protocol to let you play around with the devices. He also gave a talk at DEF CON (PDF) about the protocol.

[Balda] got started with ccTalk because he wanted to add a coin acceptor to a MAME cabinet, and had a coin acceptor. His latest project converts ccTalk to standard keyboard keystrokes using a Teensy. The MAME cabinet can then interpret these and add to the player’s credits.

There’s two interesting sides to this project. By providing tools to work with ccTalk, it’s much easier to take a used coin acceptor off eBay and integrate it into your own projects. On the other hand, these acceptors are used everywhere, and the tools could allow you to spoof coins, or even change settings on the acceptor.

Comments

  1. andarb says:

    Sounds like security through obscurity, never the best solution.

  2. CodeRed says:

    “and the tools could allow you to spoof coins, or even change settings on the acceptor”, I guess if you already have physical access to the inside of the machine and can plug into the data bus. But if you’re already inside the machine, you could just grab the soda.

    • F says:

      Have you ever been inside a soda machine? The soda is inside the refrigerator and the coin unit is on the outside of the refrigerator. To get at the soda, you have to open the refrigerator door by opening the latch that’s inside the front cover, behind that big ugly lock. You won’t get that door open without breaking the lock. However it may be possible to compromise the coin deposit signal without breaking the lock.

      • CodeRed says:

        Yeah, I’ve seen the vending guys refill the machines. I guess I’m not sure how you could get at the internal wiring without opening the locked cabinet.

      • fartface says:

        If you can hack the coin accepter without getting through the lock then you are superman. I am thinking that you have never seen the inside of them, I have, I have worked on them and rebuilt them. Once you are inside you access everything.

        • Greenaum says:

          Pretty simply, I’d think sending the right sequence of pulses through a coil, to induce a signal into the wires coming from the coin acceptor. If you manage to get them right, and with a bit of luck, the machine will think they’re genuine coin pulses.

          For the settings, presumably there are buttons on the coin acceptor unit that tell the main unit to change settings. I’d guess at one button on the locked inside, that enables extra options thru the keypad and display, through a menu system. Spoof that one button press and the cola is yours!

          Encryption would pretty much stop this, I think. But while Youtube is full of stupid fake “scams” like this, I’ve never heard of anyone hacking a soda machine without having the key to it (and then that’s just MIT-style pranks). Is this a solution to a problem that existed, or just something they decided to add now that powerful MPUs are so cheap?

          If the encryption’s only been added since 2010, that’s a lot of old machines out there, they tend to last a while. Although they’re usually leased, so are replaced more often. And if the encryrption requires much in the way of processing power from the person operating it, 9 out of 10 will leave it alone. And so what? Has there ever been reported attacks on machines like this? Not including the amazing robot that French kid made, out of an old printer. That was very impressive.

    • notdave says:

      @codered you could grab all the sodas, or you could modify the coin acceptor to think pennies are valid and count as 4 quarters. get it?

    • Justin Sabe says:

      Salt water in the coin slot. It shorts out the controller and turns the soda machine into a winning slot machine dumping cans and change out of it.

  3. austin says:

    even if we assume it’s possible to hack the coin slots to accept other coins or wooden nickles or whatever, if it is then someone needs to find it and follow responsible disclosure to have it fixed. saying “don’t do that because it could cause someone somewhere to compromise them” is just asinine.

  4. ejonesss says:

    CodeRed is right you have to have access to the inside of the machine in order to get to the wiring so the only way is if the soda co is stupid enough to forget to lockout the diagnostic mode so the pepsi, pepsi, diet pepsi, pepsi method would work (ok i made that one up but there is a sequence of product buttons to push to get the diagnostic mode)

    or via the ir sensor ( i have heard that some machines now have a remote)

    as of the non disclosure agreement you could sign the agreement and get the info then post it anonymously via p2p like tpb.

    • Mike says:

      “as of the non disclosure agreement you could sign the agreement and get the info then post it anonymously via p2p like tpb.”

      Wow, no honor amongst thieves, what problems are you solving by pirating this information?

  5. berk says:

    We’ve been using these for years. Seen attacks where an external switch panel has been prised off to give access to 0V, then a specially crafted stiff wire with bends in the right places inserted into a gap in the cabinet.

    They then wiggle this until they touch the cctalk line and start to add their own credit.

    This is all years in the past since encryption was implemented. I have not seen any further attacks of this kind.

  6. xorpunk says:

    To hack the protocol to cheat coin operated machines you’d still have to break into the machine, which in these days mostly have audible alarms(yes this includes soda machines). What you actually want to know to cheat them is the electromechanical characteristics of this part of the machine so you can fabricate your own coins out of wood or cheaper metals; if they don’t have magnetic sensors..

    How I know: I’ve talked to people who robbed coin operated machines for a living.. Mostly drink machines in front of shopping centers..

    P.S. they all can have their tubular locks picked to open them, but the alarms are all RF disabled..

    • xorpunk says:

      If you could reverse engineer the electromechanical sensors of this part or the paper currency part you could easily “jackpot” any type of machine with little effort or risk..

      • Greenaum says:

        A lot of coins nowadays, particularly lower denominations, are made just of steel, plated with something. Copper, in the case of pennies, since they had to make the law in the 70s prohibiting people from taking pennies to the scrap yard and selling them for their scrap value, which was more than their cash value.

        Some are made of cupronickel. Ebay tells me people make car parts out of it. Maybe a skilled smelter could mix some up.

        But for the cheap coins, what’s a coin got that a steel disc hasn’t? In the future, probably even now, it’s practical enough to use a camera and cheap processor to recognise coins, but the methods still in use are the old magnetic / weight / size ones. Some experimentation would be nice, from a person who owns one of these machines. If one were suitably curious I suppose one could buy a coin acceptor themselves, perhaps cheap as part of some old arcade machine. Particularly, acceptors often have instructions in the manuals to adjust them to take new coins. So it must be something anyone could do with a screwdriver and a bit of sense.

        • xorpunk says:

          There are actually money jars with the sensors in the lid where the slot you slide coins through that count the coins. They are cheap and in local stores in America.

          If it’s the same detection you could refine a method off of this with little investment. Else ebay is the best bet but would likely require building a test system using this protocol. Something with a tweeter or LED indicator would work.

          It’s interesting R&D, but you couldn’t publish it under a real name while in a US allied nation. You get visits from secret service or FBI just for having certain grades of paper or printing equipment there, you do something that could cost the government or government invested infrastructure a lot of money there, you could easily wind of dead or in a prison with a fixed trial..

        • cybergibbons says:

          I got some coin handlers out of machines in the early 2000s. I was very surprised at how good they were at rejecting invalid coins. I suspect trying to make fake coins to trick them would be a lot of work.

          • CodeRed says:

            They are pretty good. I once found a 1962 silver quarter in my pocket only because the soda machine would not accept it.

          • xorpunk says:

            Then it’s based on symmetry and magnetic properties. It could be done with composite molding materials. You’d be better off trying to fool the paper bill detection because of the overhead..

          • cybergibbons says:

            Notes are hard as well. The note handlers tend to be very high tech. But I don’t know about US bills, they look like they might be easy to copy.

          • xorpunk says:

            US bills have been done in Asia, it’s red fibers, micro printing, heat transfer and chemical treating. Those markers can be fooled just with one chemical on any type of paper.

            There is too much overhead though for either, it makes more sence to just pick the lock or crowbar it, except from the depletion aspect..

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 96,614 other followers